The Inquirer-Home

Microsoft Vista has enormous gaping hole

Security blown out of the water
Wed Feb 14 2007, 07:33
A CHIP COMPANY called Microsoft said its "highly secure" Vista operating system has a whopping great security hole in its User Account Control.

According to the hackette who found it, Joanna Rutkowska, the hole means that the legendary default no-admin setting isn't a security mechanism any more. Got that?

Rutkowska told ZD Net that the UAC automatically assumes that all setup programs should be run with administrator privileges.

When you run such a program, you get a UAC prompt and you can either to agree to run this application as administrator or to disallow running it. Still awake?

So if "punters" download the Tetris "game", they would have the choice of giving the program total rights to their file system, registry and kernel drivers or not run it. At no point did Vole wonder why a Tetris installer be allowed to load kernel drivers.

In her bog 'Invisible Things', Rutkowska said that she should be offered a choice whether to fully trust the software or add a folder in C:Program Files and some keys under HKLMSoftware and do nothing more. This much better security option was possible under XP but has been dropped from Vista.

A Security Vole has dismissed the hole, claiming that the way Vista allowed access to different bits of the operating system was not that easy. He admitted that it was a weakness, but that was really a "design choice".

Rutkowska told ZD Net that she wasn't happy with Vole's flippant attitude to the potential risk by declaring that that all *implementation* bugs in UAC are not to be considered as security bugs.

More here and also here. Is that clear now? µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Dead electronic devices to be banned on US-bound flights

Will the new rules banning uncharged devices be effective?